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I .   INTRODUCTION 

A .   BACKGROUND 

The  Nonappropriated  Fund  Instrumentality  (NAFI)  is  a  tool 
of  the  Department  of  Defense  (DOD)  and  the  individual 
services.  It  is  designed  to  provide  an  essential  function  in 
support  of  the  Morale,  Welfare  and  Recreation  (MWR)  needs  of 
military  personnel,  civilian  employees,  reservists,  retirees, 
eligible  family  members,  and  other  authorized  users. 
[Ref.  l:p.  18] 

NAFI's  are  classified  in  accordance  with  a  standard  DOD 
classification  system.  The  designator  of  the  NAFI  in  this 
study  falls  into  category  D,  which  contains  business 
activities  that  are  highly  desirable  for  providing 
recreational  activity  but  are  less  essential  to  the  overall 
military  mission.  [Ref.  l:p.  11] 

Category  D  NAFI's  are  reguired  to  be  self-supporting  and 
generate  funds  through  operations  to  support  the  MWR  programs 
reguired  and  desired  by  the  base  on  which  they  are  located. 
The  NAFI's  are  to  operate  in  the  most  profitable  manner 
possible  to  generate  excess  funds  for  subsidizing  unprofitable 
MWR  activities.  Subsidizing  is  permissible  when  the 
activities  are  deemed  highly  desirable  by  the  base  commander 


and  can  be  adequately  funded  through  the  excess  funds  of  other 
profitable  MWR  activities.   [Ref.  l:p.  13] 

The  NAFI  which  is  the  subject  of  this  study  is  the  Golf 
Course  Pro  Shop  and  Dining  Facility  located  at  Fort  Ord, 
California. 

B.   PURPOSE  AND  OBJECTIVES  OF  THE  RESEARCH 

The  mandate  that  NAFI's  be  self-sufficient  where  possible 
requires  that  each  category  D  business  activity  be  operated  in 
the  most  efficient  manner  feasible.  Efficiency  allows  base 
commanders  to  provide  additional  MWR  activities  to  assigned 
personnel  from  the  excess  funds  generated  by  profitable 
NAFI's.  To  ensure  the  efficient  operation  of  each  NAFI,  the 
use  of  internal  controls  is  required.  The  statutory 
requirements  for  the  implementation  and  establishment  of 
internal  control  systems  extends  from  the  Federal  Manager's 
Financial  Integrity  Act  (Public  Law  97-255)  to  Office  of 
Management  and  Budget  (OMB)  Circular  A-123.   [Ref.  2:p.  4] 

The  purpose  and  objective  of  this  thesis  is  threefold: 
first,  to  determine  the  internal  control  requirements  mandated 
by  higher  authority  for  the  NAFI;  second,  to  evaluate  the 
internal  controls  presently  in  effect  within  the  NAFI 
structure;  and,  finally,  to  determine  the  extent  to  which 
management  controls  meet  the  requirements  of  internal  control 
criteria  and  are  effective  in  preventing  and  detecting 
unauthorized  procedures  and  errors. 


C.  SCOPE  OF  RESEARCH 

The  thesis  is  limited  in  scope  to  those  activities  and 
functions  which  are  performed  locally  at  the  Ft.  Ord  Golf 
Course  Pro  Shop  and  Dining  Facility.  The  critical  areas  of 
research  are  those  which  present  the  greatest  risk  of  material 
loss  to  the  financial  operation  of  the  NAFI .  Specific  cycles 
which  are  germane  to  this  study  are  the  receipt  and  control  of 
cash,  the  receipt  and  control  of  merchandise  and  inventory, 
and  the  administration  of  the  payroll  function.  The  majority 
of  accounting  functions  are  performed  by  a  Central  Accounting 
Office  (CAO)  which  is  geographically  separated  from  the  NAFI; 
therefore,  these  functions  are  not  the  subject  of  this 
thesis.  Those  accounting  and  record  keeping  functions  which 
are  under  local  control  have  been  examined  as  they  pertain  to 
the  critical  areas  in  this  study. 

The  scope  is  limited  to  those  aspects  of  the  business 
operation  which  are  under  direct  control  of  local  NAFI 
management  personnel. 

D.  METHODOLOGY  OF  RESEARCH 

The  study  began  with  an  identification  of  the  internal 
control  reguirements  that  are  mandated  for  the  NAFI  by  higher 
authority.  This  was  achieved  by  reviewing  appropriate 
literature  and  documentation  including  Army  Regulations, 


Department  of  Defense  (DOD)  Directives,  Department  of  the  Army 
Pamphlets,  and  locally  prepared  regulations  and  organizational 
documents . 

The  next  step  was  to  obtain  an  understanding  of  the 
internal  controls  which  were  present  at  the  NAFI.  To  achieve 
this  objective,  three  investigative  tools  were  employed. 
Control  guestionnaires  were  developed  from  sources  which 
delineated  internal  control  and  operating  reguirements  for  the 
NAFI.  Discussions  with  personnel  and  observance  of  daily  and 
routine  operations  were  conducted  to  increase  knowledge  and 
understanding  of  existing  procedures.  Finally,  the  critical 
operations  were  flowcharted  to  give  a  graphic  display  of 
transaction  steps. 

The  final  step  was  to  test  the  controls  in  place  at  the 
NAFI  and  make  an  evaluation  as  to  the  efficiency  and 
effectiveness  of  the  implemented  system.  Attribute  sampling 
and  tests  of  controls  were  used  to  test  the  effectiveness  of 
the  internal  controls  in  preventing  and  detecting  unauthorized 
procedures  and/or  loss  of  NAFI  assets. 

E.   THESIS  ORGANIZATION 

The  thesis  is  organized  in  seguential  steps  as  outlined  in 
the  following  paragraphs. 

Chapter  II  discusses  the  background  of  internal  controls, 
their  purpose,  use,  and  mandate  for  implementation  within  the 
government  and  in  particular  the  NAFI. 


Chapter  III  provides  the  steps  to  obtaining  an 
understanding  of  internal  controls  and  depicts  that 
understanding  through  presentation  of  narrative  descriptions, 
flowcharts,  and  internal  control  questionnaires. 

Chapter  IV  discusses  the  evaluation  of  the  internal 
control  system  for  the  NAFI.  This  section  includes  tests  of 
controls  and  attribute  sampling  used  to  arrive  at  the 
effectiveness  of  the  internal  control  structure  as  implemented 
by  the  NAFI. 

Chapter  V  analyses  the  data  and  findings  and  offers 
recommendations  for  the  improvement  of  internal  controls 
within  the  NAFI. 


II.   INTERNAL  CONTROLS  OVERVIEW 

A.   INTRODUCTION 

The  Accounting  and  Auditing  Act  of  1950  established  the 
reguirement  for  Government  agencies  to  institute  and  maintain 
adeguate  systems  of  internal  control.  However,  to  combat 
continuous  reported  instances  of  fraud,  waste,  and  abuse  of 
Government  resources,  the  Office  of  Management  and  Budget 
(0MB)  Circular  A-123  was  issued  in  October  1981.  This 
expounded  internal  control  objectives  and  standards  in  an 
effort  to  strengthen  and  eliminate  weaknesses  within  the 
internal  control  system  of  the  Government  agencies. 
[Ref.  3:p.  1] 

The  Accounting  and  Auditing  Act  of  1950  was  later  amended 
by  the  Federal  Manager's  Financial  Integrity  Act  of  1982,  P.L. 
97-255,  which  revised  some  of  the  reporting  and  administrative 
standards  for  agency  heads  while  leaving  the  reguirements  and 
objectives  essentially  unchanged.   [Ref.  3:p.  1] 

These  legislative  documents,  combined  with  the  revised 

Office  of  Management  and  Budget  Circular  A-123  of  1983, 

established  the  internal  control  policy  for  agencies  within 

the  framework  of  the  Federal  Government. 

Policy.  Agencies  shall  maintain  effective  systems  of 
accounting  and  administrative  control.  All  levels  of 
management  shall  involve  themselves  in  assuring  the 
adeguacy  of  controls.   New  programs  shall  incorporate 


effective  systems  of  internal  control.  All  systems 
shall  be  evaluated  on  an  ongoing  basis,  and 
weaknesses,  when  detected,  shall  be  promptly 
corrected.  Reports  shall  be  issued,  as  required,  on 
internal  control  activities  and  the  results  of 
evaluations.   [Ref.  3:p.  2] 


B.   OBJECTIVES  OF  INTERNAL  CONTROL 

The  objective  of  an  internal  control  system  for  a 

government  is  best  described  by  the  following: 

Establishing  and  maintaining  an  internal  control  structure 
is  an  important  management  responsibility.  Good  internal 
controls  are  essential  to  achieving  the  proper  conduct  of 
government  business  with  full  accountability  for  the 
resources  made  available.  They  also  facilitate  the 
achievement  of  management  objectives  by  serving  as  checks 
and  balances  against  undesired  actions.  An  entity's 
internal  control  structure  consists  of  the  policies  and 
procedures  established  to  provide  reasonable  assurance 
that  specific  entity  objectives  will  be  achieved. 
[Ref.  4: p.  4.7] 

Within  this  basic  definition,  internal  control  objectives 

have  been  further  delineated  into  two  categories,  general  and 

specific.   The  general  aspect  of  the  objectives  are  their 

universal  applicability  to  all  government  entities.   The  Army 

has  defined  these  broad  objectives  for  the  NAFI  internal 

control  system  to  ensure: 

(1)  Adherence  to  applicable  laws,  regulations,  and 
policies 

(2)  Transactions  are  carried  out  as  authorized 

(3)  Resources  are  safeguarded  from  unauthorized  use  or 
disposition 

(4)  Financial  and  statistical  records  and  reports  are 
reliable  and  accurate 


(5)   Resources  are  efficiently  and  effectively  managed. 
[Ref.  5: p.  1] 

Each  manger  is  responsible  to  translate  these  general 
objectives  into  specific  objectives  which  relate  to  the 
activity  for  which  he  or  she  is  responsible,  with  the  goal  of 
meeting  the  broad  objectives  across  the  entire  business 
activity. 

The  Federal  Managers'  Financial  Integrity  Act  supports 
this  view  of  broad  objectives.  The  act  specifies  that 
internal  control  objectives  are  to  provide  management  with 
reasonable  assurance  that: 

(1)  Costs  and  obligations  conform  with  current  law 

(2)  Assets  are  protected  from  loss,  waste, 
misappropriation,  or  unauthorized  use 

(3)  Accounting  functions  are  performed  accurately  so  that 
reliable  financial  reports  and  statistical  data  may 
be  obtained.  [Ref.  3: p.  5] 

The  internal  control  objectives  provide  the  overview  for  the 

purpose  and   function  of   internal  control   systems.    To 

implement  these  objectives,  internal  control  standards  have 

been  developed  by  the  Comptroller  of  the  United  States  to 

establish  the  criteria  by  which  internal  control  system 

guality  is  to  be  measured  and  evaluated.  [Ref.  6:p.  6] 

C.   INTERNAL  CONTROL  STANDARDS 

The  GAO  has  established  12  Standards  which  have  been 
subdivided  into  five  general  internal  management  control 
standards   and   six   specific   internal   management   control 


standards.  The  last  standard  relates  to  resolution  of  audit 
results  in  a  prompt  manner  [Ref.  7: p.  124]  The  NAFI  is 
responsible  for  adherence  to  these  same  standards,  as  directed 
by  Army  Regulation  11-2,  which  considers  the  standards,  and 
execution  of  them,  to  be  the  basic  Federal  Managers'  Financial 
Integrity  Act  responsibility  of  every  Army  manager. 
[Ref.  6:p.  6] 

The  following  is  a  list  of  the  general  and  specific 
standards  with  a  brief  explanation  of  each.   [Ref.  6:p.  6-8] 

General  Standards: 

( 1 )  Reasonable  Assurance 

Reasonable  assurance  implies  and  recognizes  that  the 
cost  of  implementation  of  internal  controls  must  be  cost 
effective  and  practical.  The  attainment  of  100%  assurance  is 
not  feasible,  but  every  attempt  must  be  made  to  achieve  a 
satisfactory  level  of  confidence  given  constraints  of  cost, 
staffing,  and  risk.  Judgement  is  a  key  factor  in  implementing 
this  standard  and  may  require  frequent  review  to  meet  current 
or  changing  needs. 

( 2 )  Supportive  Attitude 

Management  is  required  by  this  standard  to  show  a 
consistent,  positive  attitude  toward  the  implementation  and 
importance  of  the  internal  control  program  within  their  area 
of  responsibility.  It  is  essential  that  this  attitude  be 
demonstrated  and  projected  to  foster  within  subordinates  the 


absolute  importance  of  a  well  functioning  and  effective 
control  system.  Clear  lines  of  authority  must  be  established 
in  this  effort  and  personnel  integrity  manifested  to  nurture 
employee  participation. 

( 3 )  Competent  Personnel 

Personnel  integrity  must  be  maintained  and  employees 
must  have  reguisite  training  to  accomplish  assigned  job  tasks. 
This  standard  is  achieved  by  implementing  an  active  code  of 
conduct,  providing  necessary  job  training,  and  evaluating 
personnel  on  a  continuing  basis.  Managers  have  added 
responsibility  to  enact  and  maintain  systems  of  internal 
controls  and  should  have  this  as  a  major  element  of  their  job 
review. 

( 4 )  Control  Objectives 

These  are  the  objectives  the  manager  or  agency 
authority  establishes  to  meet  the  reguirements  of  the 
particular  business  activity,  being  developed  for  the  specific 
transaction  cycles  which  are  appropriate.  These  objectives 
should  be  consistent  with  those  broad  objectives  established 
under  the  Federal  Managers'  Financial  Integrity  Act. 

( 5)  Control  Technigues 

Control  technigues  are  the  mechanisms  that  are 
actually  used  to  implement  the  internal  control  system. 
Technigues  must  be  effective  and  efficient  to  satisfy  the 
objectives  of  internal  controls.  Included  in  this  area  are 
physical  measures,   specific  policies  and  procedures,  and 

10 


organizational  arrangements.  These  technigues  need  to  be 
practical  in  actual  use  and  they  need  to  produce  the  desired 
benefit  with  minimum  implementation  effort.  The  critical 
control  technigues  make  up  the  specific  standards  and  follow 
in  the  next  few  paragraphs. 
Specific  Standards: 

( 1 )  Documentation 

The  documentation  standard  reguires  that  all 
pertinent  information  and  transactions  be  recorded  in  a 
systematic  way.  The  documentation  is  to  be  readily  available 
for  examination  by  appropriate  authority.  The  internal 
control  system  is  to  be  clearly  documented  and  should  identify 
transaction  cycles  and  the  related  objectives  and  control 
technigues  which  are  in  place. 

( 2 )  Recording  of  Transactions  and  Events 

For  information  to  be  relevant  to  the  manager  and  the 
agency  as  a  whole,  transactions  of  significance  must  be 
promptly  recorded  and  accurately  classified.  This  information 
and  the  maintenance  of  the  recording  process  is  crucial  to  the 
ability  of  the  organization  to  produce  meaningful  and  accurate 
financial  reports. 

( 3 )  Execution  of  Transactions  and  Events 

To  ensure  that  only  authorized  transactions  and  use 
of  assets  occurs,  steps  must  be  instituted  to  ensure  that  only 
authorized  personnel  approve  transactions.  This  authorization 
should  be  clearly  delineated  and  serves  as  the  most  effective 
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link  to  prohibit  unauthorized  or   illegal   contracts   or 
agreements . 

(4 )  Separation  of  Duties 

To  prevent  wrongful  or  erroneous  acts  from  being 
either  hidden  or  undetected,  no  single  individual  should  be  in 
a  position  to  control  all  key  events  in  a  cycle  or 
transaction.  Prevention  is  assured  by  dividing  key  duties 
between  individuals.  Key  duties  include  authorizing, 
issuing,  receiving,  making  payments,  and  auditing 
transactions . 

( 5)  Supervision 

Supervisors  should  constantly  review  and  approve  work 
performed  by  employees.  To  ensure  the  proper  flow  of  work, 
supervisory  involvement  must  be  present  to  detect  weaknesses 
in  training,  understanding,  and  performance.  The  supervisor 
is  also  to  supervise  the  implementation  of  the  internal 
control  process  to  ensure  effectiveness  and  efficiency. 

( 6 )  Access  to  and  Accountability  for  Resources 

To  reduce  the  risk  of  loss  or  unauthorized  use,  a 
system  of  accountability  for  resources  must  be  employed. 
Individuals  or  organizations  responsible  for  custody  and 
maintenance  of  assets  should  be  clearly  defined  in  writing 
with  a  systematic,  periodic  review  of  such  responsibilities. 
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Audit  Resolution  and  Accounting  System  Standard: 

(1)   Prompt  Resolution  of  Audit  Findings 

This  standard  specifies  that  managers  are  to  respond 
promptly  to  audit  findings,  making  appropriate  corrections  as 
necessary  within  reguired  time  guidelines. 

The  objectives  and  standards  form  the  framework  and 
expectations  for  an  internal  control  system.  To  understand 
the  extent  to  which  an  internal  control  system  meets  these 
guidelines,  a  plan  of  investigation  must  be  formulated. 
Planning  an  internal  control  review  is  reguired  to  know  what 
areas  are  necessary  to  examine  and  what  steps  will  be  reguired 
to  complete  an  evaluation. 

D.   PLANNING  INTERNAL  CONTROL  REVIEW 

Planning  an  internal  control  review  reguires  following 
relatively  standard  guidelines.  To  begin  a  review,  the 
evaluator  must  decide  on  the  scope  of  the  review  and  identify 
the  internal  control  objectives  which  are  to  be  met 
[Ref  4: p.  6.14].  The  Department  of  the  Army  has  established 
a  planning  outline  for  review  of  internal  controls  for  NAFIs. 
[Ref  5:p  3,4] 

The  first  step  in  this  planning  phase  is  gathering 
documentation  for  internal  control  identification.  This  step 
includes  review  of  applicable  regulations,  rules,  and 
legislative  guidance.  It  also  includes  review  of  standard 
operating  procedures,   organizational  charts,   and  mission 
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statements.  The  documented  evidence  allows  the  evaluator  to 
establish  the  event  or  transactions  cycles  which  are  pertinent 
to  the  operation  under  evaluation.   [Ref  5: p.  32] 

Having  identified  the  event  cycles  of  the  business,  the 
second  step  is  to  walk  through  the  various  processes  to  gain 
a  fuller  understanding  of  the  business  and  its  functional 
characteristics.   [Ref  5:p.  4] 

The  third  step  involves  preparation  of  flowcharts  for  all 
the  event  cycles  under  investigation.  Flowcharts  are  used  to 
document  the  findings  of  the  previous  steps.  Properly 
prepared  flowcharts  will  identify  in  a  graphic  fashion  all  of 
the  transactions  which  occur  in  an  event  or  transaction  cycle. 
[Ref  8:p.  84] 

The  flowcharts  are  used  to  complete  the  fourth  phase  of 
the  internal  control  review  by  allowing  the  evaluator  to 
further  clarify  and  verify  the  event  cycles.   [Ref  5:p.  4] 

The  fifth  and  last  step  of  the  planning  process  reguires 
review  of  vulnerability  and  the  determination  of  risk.  Risk 
is  the  uncertainty  that  an  evaluator  faces  in  uncovering 
errors,  loss,  or  wrongdoing  in  spite  of  the  evaluation  effort. 
This  risk  is  often  considered  to  occur  in  two  categories; 
inherent  risk  and  control  risk. 

Inherent  risk  is  the  estimate  on  the  part  of  an  evaluator 
that  material  errors  are  present  in  a  system  without  internal 
controls  being  present   [Ref  9:p.  256].   Such  risk  is  related 
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to  the  nature  of  a  business  and  the  demonstrated  business 
practices  which  are  used. 

Control  risk  is  the  assessment  that  errors  of  a  material 
nature  will  occur  within  a  business  cycle  even  though  internal 
controls  are  present  [Ref  9: p.  256].  Control  risk  relates  to 
the  effectiveness  of  the  internal  control  system  implemented 
within  a  transaction  cycle. 

Inherent  and  control  risk  can  occur  in  several  related 
areas  of  importance  with  two  major  areas  being  of  particular 
interest.  The  first  of  these  is  financial,  e.g.  the  loss  of 
assets  by  fraudulent  actions  such  as  theft.  The  second  is  in 
accounting,  where  records  and  reports  may  not  be  properly 
maintained  or  safeguarded  [Ref  8: p.  2].  These  areas  of  risk 
are  always  present  and  internal  controls  must  be  implemented 
to  reduce  them  to  the  lowest  practical  level,  while 
recognizing  that  they  can  never  be  eliminated  completely.  The 
degree  to  which  control  procedures  meet  the  objectives  of 
internal  control  and  reduce  these  areas  of  risk  to  acceptable 
levels  are  established  through  the  process  of  evaluation. 

E.   EVALUATING  INTERNAL  CONTROLS 

The  process  of  evaluating  internal  controls  centers  on  the 
understanding  gained  about  the  business  operation  during  the 
planning  phase.  Having  fully  identified  the  transaction 
cycles  that  are  pertinent  to  the  review,  the  evaluator  must 
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now  devise  methodologies  to  test  the  effectiveness  of  the 
internal  controls  to  meet  objectives  and  standards. 

Tests  of  controls  are  employed  to  establish  effectiveness 
of  the  control  system.  These  tests  can  be  divided  into  two 
groups,  functional  and  operational  [Ref  8:p.  108],  with 
functional  testing  being  further  divided  into  three 
subcategories . 

The  first  subcategory  of  functional  testing  is  examination 
of  evidence.  This  is  simply  the  review  and  inspection  of 
documentation  for  reguired  signatures,  approval  evidence,  or 
other  proof  of  a  control  being  applied  to  transactions. 
Reperf ormance  is  the  second  functional  control,  and  it  is  the 
reworking  or  recomputing  of  work  processes  of  employees  that 
are  involved  in  the  transaction  cycle.  The  third  functional 
test  is  observation.  The  evaluator  watches  the  normal 
processes  of  employees  to  ensure  management  controls  are  being 
implemented  correctly.  [Ref  8:p.  108] 

Operational  tests  deal  with  the  application  of  resources 
in  an  efficient  manner.  Review  of  operation  controls  is 
primarily  concerned  with  items  of  resource  planning, 
organization,  and  decision  making.  These  controls  are 
typically  tested  by  documentation,  because  reperf ormance  and 
observation  are  difficult  to  implement.  [Ref  8:p.  110] 

In  the  performance  of  functional  tests,  testing  levels 
have  to  be  established  to  ensure  that  representative  samples 
are  taken  to  approximate  population  statistics  accurately. 
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This  can  be  achieved  through  the  use  of  attribute  sampling 
schemes  to  determine  appropriate  sample  sizes  relating  to  the 
acceptable  risk  the  evaluator  is  willing  to  accept  and  the 
total  number  of  deviations  or  errors  the  evaluator  will  allow 
in  the  population.  Attribute  sampling  is  designed  for 
determining  the  presence  or  absence  of  a  given  attribute 
within  a  population  and  is  well  suited  to  tests  of  controls 
which  offer  simple  "yes/no"  or  "present/absent"  verification 
[Ref  9:p.  419-421].  The  goal  is  to  establish  evidence  for  the 
effectiveness  of  a  control  with  the  minimum  necessary  testing. 

Once  testing  is  complete,  the  evaluator  must  make  a 
decision  concerning  the  effectiveness  of  the  internal  control 
system  and  report  weaknesses  to  appropriate  authority  to 
promote  changes  which  will  allow  the  system  to  function 
reliably  and  efficiently. 

Since  public  institutions  are  under  such  close  scrutiny 
and  in  competition  for  precious  dollars  within  current  budget 
constraints,  the  ability  to  operate  in  an  efficient  manner  is 
absolutly  essential.  Inefficiency  makes  these  business 
activities  extremely  vulnerable  to  large  funding  cuts  and 
potentially  reduces  the  guality  and  level  of  service  they  can 
provide.  These  realities  require  that  all  Government 
agencies  and  entities  employ  effective  internal  control 
systems  to  reduce  risk  and  vulnerability  to  the  lowest 
practical  level  to  safeguard  assets  in  the  public  trust. 
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III.   OBTAINING  AN  UNDERSTANDING  OF  THE  INTERNAL  CONTROL 
STRUCTURE 


A.   INTRODUCTION 

Fort  Ord  is  an  Army  Base  located  in  Monterey  County,  in 
central  California,  and  covers  26,000  acres.  As  part  of  the 
Morale,  Welfare,  and  Recreation  (MWR)  program  on  the  base,  the 
Fort  Ord  Golf  Course  complex  is  operated  to  provide  beneficial 
recreation  opportunities  to  active  duty,  retired,  and  civilian 
government  personnel  within  the  local  and  surrounding 
geographic  area. 

The  operation  consists  of  two  18-hole  championship  golf 
courses,  complete  Pro  Shop,  driving  range  facility  and  a  newly 
renovated  dining  facility.  The  operations  include  the  retail 
sales  of  food,  beverages,  golf  eguipment,  golf  supplies, 
clothing,  and  payments  for  the  use  of  the  golf  course  in  the 
form  of  greens  fees  and  golf  cart  rentals.  Profits  from  the 
facility  not  only  provide  operating  capital  for  the  golf 
course  operation,  but  are  an  important  source  of  funding  for 
other  desirable  but  less  profitable  MWR  activities  on  the  Fort 
Ord  Post. 

The  Golf  Course  operation  at  Fort  Ord  is  one  of  a  number 
of  NAFI's  which  comprise  the  Department  of  Personnel  Community 
Activities  (DPCA).  The  DPCA  is  the  central  authority  for  the 
MWR  programs  on  the  post  and  is  composed  of  several  divisions. 
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The  fiscal  division  of  DPCA  is  the  Resource  Management 
Division  (RMD) ,  which  provides  financial  fund  approval  and 
oversight  through  the  Fund  Manager  to  the  assigned  NAFIs, 
which  are  the  recreational  businesses  of  MWR.  The  RMD  submits 
financial  documents  to  the  Central  Accounting  Office  (CAO)  for 
accounting  and  record  keeping  purposes.  The  CAO  performs  the 
accounting  and  record  keeping  functions  for  all  regional  DPCAs 
and  business  activities.  Though  not  geographically  co-located 
with  the  NAFI  or  DPCA,  the  CAO  receives  transmitted 
documentation  and  records  through  mail  and  telecommunication 
channels.  Some  reports  and  documents,  such  as  time  and 
attendance  reports,  are  also  submitted  directly  by  the  NAFI  to 
the  CAO,  as  well  as  via  the  RMD,  as  a  control  measure  for  the 
CAO.  Another  branch  of  DPCA  is  the  Civilian  Personnel  Office 
(CPO),  which  is  responsible  for  hiring  employees  to  fill  job 
vacancies  within  the  DPCA.  The  CPO  is  responsible  for 
maintaining  the  personnel  records  of  golf  course  employees. 

Internally,  the  Fort  Ord  Golf  Course  is  comprised  of  a 
manager,  assistant  manager,  and  four  divisions  with  an 
assigned  division  manager  in  each  area.  Approximately  60 
personnel  are  assigned  to  the  golf  course  administration, 
maintenance,  sales,  and  restaurant  operations.  An 
organization  chart  of  the  NAFI  showing  external  and  internal 
structures  is  provided  in  Figure  3-1. 

To  ensure  the  continued  self-support  of  the  golf  course 
operation   and   the   continued   funding   of   desirable   but 
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unprofitable  MWR  activities,  it  is  the  responsibility  of 
management  to  operate  in  the  most  effective  and  efficient 
manner  possible.  This  requires  identifying  and  eliminating 
areas  of  waste,  loss,  or  misuse  of  assets  under  management 
control.  To  achieve  this  objective,  business  operations  are 
designed  with  internal  control  measures  aimed  at  detection  and 
elimination  of  loss  and  inefficiencies.  The  review  of  these 
internal  controls  and  their  effectiveness  begins  by  obtaining 
an  understanding  of  the  controls. 

An  evaluator  of  internal  controls  must  obtain  an 
understanding  of  the  elements  of  a  business  prior  to  assessing 
the  effectiveness  of  an  internal  control  system.  This 
understanding  must  extend  to  the  normal  and  routine  internal 
transactions  which  occur  for  the  business  as  well  as  to  the 
external  relationships  that  exist.  Understanding  is  usually 
gained  through  observation  of  daily  procedures,  interviews  of 
client  personnel,  the  client's  standard  operating  procedures 
and  manuals,  and  inspection  of  documents  and  records  [Ref. 
8:p.  72] . 

The  understanding  gained  through  this  process  must  be 
recorded  as  evidence  for  the  sequence  of  transactions  and 
operations.  Several  tools  are  employed  to  document  the 
understanding  gained  through  this  process  and  aid  in 
clarifying  the  processes  and  substantiating  the  understanding. 
The  most  common  tools  used  in  the  documentation  of  an 
understanding  of   internal  control  systems  are  narrative 
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descriptions,  flowcharts,  and  internal  control  questionnaires 
[Ref.  9:p.  304]. 

The  narrative  description  is  a  simple  plain  language 
interpretation  of  the  transactions  of  interest  in  the 
business.   This  is  supported  by  the  use  of  flowcharting  to 
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present  the  same  information  in  a  graphic,  diagrammatic  view. 
The  purpose  is  to  give  the  evaluator  a  full  range  of  knowledge 
concerning  the  steps  in  each  transaction  cycle.  The  internal 
control  guestionnaire  is  designed  to  reduce  internal  control 
reguirements  mandated  by  higher  authority  to  "yes"/"no" 
responses.  The  process  reguires  guestions  which  are  specific 
in  nature  to  the  particular  transaction  cycle.  A  "no" 
response  to  an  internal  control  guestion  is  considered  a 
potential  weakness  in  internal  controls  and  represents  an  area 
that  cannot  be  tested  due  to  lack  of  a  control  to  evaluate 
[Ref.  8: p.  52].  The  presence  of  a  weakness  does  not  mean  that 
actual  errors  or  losses  have  occurred,  but  indicates  an  area 
where  potential  loss  could  occur  because  adeguate  controls  are 
not  in  place  to  prevent  a  problem. 

For  the  transaction  cycles  under  consideration  in  this 
study,  narrative  descriptions,  flowcharts,  and  internal 
control  guestionnaires  are  important  to  a  full  understanding 
of  those  cycles  and  are  presented  for  each  cycle  in 
consecutive  sections  and  subsections  of  this  chapter. 

The  narrative  descriptions  and  flowcharts  were  developed 
from  observation  of  the  transaction  cycles  and  through 
interviews  with  the  manager,  payroll  clerk,  receiving  clerk 
and  cashiers.  Internal  control  guestionnaires  were  developed 
from  the  reguirements  established  for  the  NAFI  in  Army 
Regulations  215-1,  215-2,  215-3,  215-4,  and  215-5,  of  October, 
1990.   These  regulations  are  the  primary  operating  documents 
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for  the  NAFI  and  give  the  minimum  requirements  for  operation 
of  the  transaction  cycles. 

The  cycles  which  are  the  subject  of  this  study  include  the 
cash  receipt  and  control  cycle,  payroll  cycle  and  the 
inventory  receipt  and  control  cycle. 

B.   CASH  RECEIPT  AND  CONTROL  CYCLE 
1 .   Narrative  Description 

Cash  receipt  can  occur  through  five  possible  cash 
registers  during  the  business  day.  Two  of  the  cash  registers 
are  located  in  the  Pro  Shop,  two  are  located  in  the  dining 
room  and  one  is  in  a  beverage  shack  located  outside  the  main 
building  on  the  golf  course  grounds. 

The  cashiers  receive  $200  in  their  cash  drawers  at  the 
beginning  of  each  shift  or  the  opening  of  a  new  cash  register. 
Each  cashier  is  responsible  for  his  or  her  own  drawer  and  is 
to  be  the  sole  operator  of  that  cash  drawer.  Upon  receipt  of 
the  change  fund,  the  cashier  counts  the  change  and  signs  the 
daily  cashier's  record,  DA  Form  4082,  to  acknowledge  receipt 
of  the  change.  This  record  is  placed  in  the  safe  as  a  receipt 
for  the  change  and  the  drawer.  The  record  is  not  prenumbered 
and  is  duplicated  in  the  NAFI  office  to  ensure  an  adequate 
supply. 

The  cash  registers  are  computerized  and  use  product 
identification  numbers  for  entry  into  the  system.  The 
computerization  provides  automatic  price  information  to  the 
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cashier  and  customer.  Each  item  sold  reflects  the  price 
entered  into  the  computer  system  by  the  manager  of  the  pro 
shop.  As  sales  occur,  the  customer  is  provided  a  sales 
receipt  which  is  generated  automatically  by  the  cash  register 
to  verify  the  sale.  When  checks  are  accepted  for  payment, 
they  are  stamped  with  the  endorsement  "For  Deposit  Only" 
immediately  upon  receipt  and  are  placed  into  the  cash  drawer. 
Credit  card  sales  are  also  an  acceptable  means  of  payment  but 
a  $25  minimum  charge  limit  is  imposed.  Credit  cards  are 
verified  by  the  use  of  an  electronic  approval  system  and  the 
authorization  number  is  entered  on  the  credit  slip  along  with 
the  initials  of  the  cashier  receiving  the  authorization. 

When  the  cashier  has  completed  the  shift,  the  cash 
register  is  closed.  The  manager  takes  readings  of  the  cash 
register  by  means  of  a  computer  generated  register  tape.  The 
mechanism  that  controls  the  reading  is  accessible  only  to  the 
individual  reading  the  register  and  is  protected  by  a  locked 
entry  system.  The  reading  process  generates  a  register  tape 
which  reflects  the  starting  total  and  the  ending  total  in  the 
register  since  the  last  reading,  taking  into  account  discounts 
and  returns.  The  cashier  is  not  apprised  of  the  amount  that 
should  be  in  the  cash  register.  The  cashier  then  counts  the 
cash  present  in  his/her  cash  drawer  and  documents  the  cash 
count  on  the  Daily  Cashier's  Record.  The  Daily  Cashier's 
Record  is  again  signed  by  the  cashier  to  signify  that  the 
money  is  turned  in.   The  manager  or  designated  representative 
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who  receives  the  cash  also  signs  to  indicate  agreement  with 
the  cash  count  and  to  signify  receipt  of  the  cash.  After 
attaching  the  register  tape  that  was  generated  at  the  register 
closing  to  the  Daily  Cashier's  Record,  the  cash,  register  tape 
and  Daily  Cashier's  Record  are  then  reconciled  by  the 
individual  assigned  to  close.  The  documentation  and  cash  are 
placed  in  the  safe  at  the  end  of  the  day  or  at  the  end  of  the 
cashier's  shift.  The  Cashier's  Record  and  money  is  then 
received  by  the  accounting  technician  who  uses  the  combined 
records  from  the  various  cashiers  to  compile  the  Daily 
Activity  Report.  Examples  of  the  Daily  Cashier's  Record  and 
Daily  Activity  Report  are  included  in  the  Appendix. 

The  cash  receipts  are  combined  by  the  accounting 
technician,  and  a  deposit  slip  is  filled  out  in  triplicate. 
The  deposit  amount  is  entered  on  the  Daily  Activity  Report 
along  with  a  breakdown  of  receipts  by  transaction  type.  The 
sum  of  the  cash  deposit  and  all  other  debit  amounts  are 
totalled  against  the  sum  of  all  credit  amounts  for  the  day  and 
the  sums  are  inspected  for  agreement. 

The  three  copies  of  the  deposit  slip  are  distributed 
as  follows:  one  to  the  bank  with  the  deposit,  one  maintained 
on  file,  and  the  third  sent  to  the  Central  Accounting  Office 
along  with  a  copy  of  the  Daily  Activity  Report. 

The  deposit  is  locked  in  the  safe  until  it  is  picked 
up  by  a  courier  from  the  Department  of  Personnel  Community 
Activities  (DPCA),  which  is  the  overall  supervisor  for  the 
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Fort  Ord  NAFIs.  The  transfer  of  the  money  to  the  courier  is 
done  by  use  of  a  receipted  bank  bag,  which  is  then  transported 
to  the  bank.  The  bank  sends  a  copy  of  the  deposit  slip  to  the 
Central  Accounting  Office  for  verification  against  the  deposit 
slip  and  Daily  Activity  Report  submitted  by  the  NAFI .  For 
amounts  over  $5000,  an  armed  guard  accompanies  the  courier. 

The  Daily  Activity  report,  Cashier's  Daily  Records 
with  register  tapes,  deposit  slip  copy,  photo  copy  of  tendered 
checks,  duplicate  credit  card  slips,  and  bank  bag  receipt 
tapes  are  then  collated  and  kept  on  file  for  90  days  at  the 
NAFI.  In  addition,  itemized  sales  reports  from  the  cash 
registers  are  generated  and  maintained  with  the  copy  of  the 
Daily  Activity  Report. 
2 .   Flowchart 

The  cash  receipts  and  control  cycle  flowchart  is 
displayed  in  Figure  3-2. 
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Figure  3-2:   Cash  Receipts  and  Control  Flowchart 
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Figure  3-2  continued. 
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Figure    3-2    continued. 
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3 .   Cash  Receipts  and  Control  Questionnaire 

The  following  questions  address  the  controls  that  Army 
regulations  state  should  be  in  effect  in  a  NAFI  for  this 
transaction  cycle.  Specific  responses  to  these  questions  are 
discussed  in  Chapter  V. 

YES    NO    NA 

1.  ARE  OPERATING  CHANGE  FUNDS  SIGNED  FOR     (   )  (   )  (   ) 
BY  THE  REGISTER  OPERATOR  ON  THE  DAILY 

CASHIER'S  RECORD? 

2.  IS  THE  DAILY  CASHIER'S  RECORD  PLACED      (   )  (   )  (   ) 
IN  A  SAFE  AFTER  OBTAINING  THE 

CASHIER'S  SIGNATURE  AS  A  RECEIPT  ? 

3.  IS  ONLY  ONE  CASHIER  ASSIGNED  TO  A  ()()() 
SINGLE  CASH  REGISTER  AT  A  TIME? 

4.  IS  THE  COMBINATION  OF  EACH  SAFE  ONLY       (   )  (   )  (   ) 
KNOWN  TO  AUTHORIZED  PERSONNEL? 

5.  ARE  CASH  RECEIPTS,  CHANGE  FUNDS  AND        (   )  (   )  (   ) 
ALL  MONIES  SECURED  IN  AN  APPROVED 

LOCKED  SAFE  AT  ALL  TIMES? 

6.  IS  THE  AMOUNT  RUNG  UP  ON  REGISTERS         (   )  (   )  (   ) 
VISIBLE  TO  THE  CUSTOMER  OR  IS  AN 

IMPRINTED  OR  WRITTEN  CUSTOMER  RECEIPT 
PROVIDED  TO  THE  CUSTOMER? 

7.  ARE  PRENUMBERED  RECEIPTS  USED  FOR  CASH    (   )  (   )  (   ) 
COLLECTIONS  WHEN  CASH  REGISTERS  ARE 

NOT  USED? 

8.  DOES  SOMEONE  OTHER  THAN  THE  SALES  (   )  (   )  (   ) 
PERSON  OR  CASH  REGISTER  OPERATOR 

READ  THE  REGISTER? 

9.  ARE  CASH  REGISTER  TAPES  REMOVED  FROM      (   )  (   )  (   ) 
THE  MACHINES  BY  SOMEONE  OTHER  THAN 

THE  CASHIER? 

10.  DOES  THE  BRANCH  MANAGER  OR  A  ()()() 
DESIGNATED  REPRESENTATIVE  COUNT 

THE  DAILY  RECEIPTS  AND  COMPARE 

THEM  AGAINST  THE  REGISTER  READING  OR 

PRE-NUMBERED  RECEIPTS? 
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YES    NO    NA 

11.  IS  A  LISTING  OF  DISHONORED  CHECKS  (   )  (   )  (   ) 
MAINTAINED  FOR  CASHIERS  TO  PREVENT 

REPEAT  OFFENSES  OR  LOSS? 

12.  ARE  CASH  OVERAGES  AND  SHORTAGES  (   )  (   )  (   ) 
INVESTIGATED  AND  REFLECTED  ON  THE 

DAILY  ACTIVITY  REPORT? 

13.  ARE  THE  SET  BACK  AND  READING  KEYS  TO      ()()() 
THE  CASH  REGISTER(S)  IN  THE  POSSESSION 

OF  THE  MANAGER  OR  HIS/HER  DESIGNATED 
REPRESENTATIVE  AT  ALL  TIMES? 

14.  IS  DIRECT  SUPERVISION  GIVEN  TO  THE        (   )  (   )  (   ) 
PERSON  CHARGED  WITH  OPENING  THE  MAIL, 

AND  IS  THE  PERSON  SOMEONE  OTHER  THAN 
THE  CASHIER? 

15.  IS  A  RECORD  MADE  IMMEDIATELY  UPON  (   )  (   )  (   ) 
RECEIPT  OF  CASH  OR  CHECKS? 

16.  ARE  ALL  CHECKS  STAMPED  IMMEDIATELY         (   )  (   )  (   ) 
UPON  RECEIPT  "FOR  DEPOSIT  ONLY"? 

17.  IS  CASH  KEPT  IN  A  COMBINATION,  THREE      (   )  (   )  (   ) 
TUMBLER  LOCKED,  FIRE  RESISTANT 

SAFE  DURING  NON-OPERATING  HOURS? 

18.  IS  THE  NAFI  PRECLUDED  FROM  CASHING        (   )  (   )  (   ) 
ITS  OWN  CHECKS? 

19.  ARE  SPECIFIC  DOLLAR  LIMITS  ESTABLISHED    (   )  (   )  (   ) 
FOR  CASHING  MEMBER'S  CHECKS? 

20.  IS  THE  PERSON  CASHING  A  CHECK  REQUIRED    (   )  (   )  (   ) 
TO  SHOW  IDENTIFICATION  AND  HAVE 

HIS/HER  NAME,  ADDRESS,  AND  PHONE 
NUMBER  ON  THE  CHECK? 

21.  ARE  OVERRINGS  VERIFIED  AND  VOIDED  ON       ()()() 
THE  CASH  REGISTER  TAPE  AND  INITIALED 

BY  THE  CASHIER'S  SUPERVISOR? 

22.  ARE  CASH  REGISTERS  OPERATED  ONLY  (   )  (   )  (   ) 
WITH  THE  DRAWERS  CLOSED? 

23.  ARE  CASH  REGISTERS  EMPTIED  AND  LEFT       (   )  (   )  (   ) 
OPEN  WITH  THE  REGISTER  CONTROLS 

LOCKED  AT  THE  CLOSE  OF  EACH  BUSINESS 
DAY? 
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YES    NO    NA 

24.  ARE  DAILY  ACTIVITY  REPORTS  PREPARED       (   )  (   )  (   ) 
EVERY  DAY  WHETHER  OR  NOT  A  DEPOSIT 

IS  MADE? 

25.  ARE  DEPOSIT  SLIP  TOTALS  RECONCILED  TO     ()()() 
DAILY  ACTIVITY  REPORTS  FOR  AGREEMENT? 

26.  ARE  BOND  AMOUNTS  MAINTAINED  FOR  (   )  (   )  (   ) 
CLASS  1  AND  CLASS  2  EMPLOYEES  IN 

ACCORDANCE  WITH  ARMY  REGULATION 
215-2? 

27.  ARE  SPECIFIC  PERSONNEL  AUTHORIZED  IN      ()()() 
WRITING  TO  READ  CASH  REGISTERS  AND 

RECEIVE  CLOSING  BALANCES? 

28.  ARE  CASH  RECEIPTS  DEPOSITED  IN  TOTAL      (   )  (   )  (   ) 
DAILY? 

29.  ARE  ALL  CHECKS  LISTED  SEPARATELY  (   )  (   )  (   ) 
ON  THE  BANK  DEPOSIT  SLIPS  OR  A 

MACHINE  TAPE  ATTACHED  TO  THE 
DEPOSIT  SLIP? 

30.  ARE  BANK  DEPOSITS  MADE  BY  SOMEONE  (   )  (   )  (   ) 
OTHER  THAN  THE  CASHIER? 

31.  ARE  DUPLICATE  DEPOSIT  SLIPS  STAMPED        (   )  (   )  (   ) 
BY  THE  BANK  AND  FORWARDED  TO  THE 

CENTRAL  ACCOUNTING  OFFICE? 


C.   PAYROLL  CYCLE 

1 .   Narrative  Description 

The  golf  course  employs  60  individuals  in  four  basic 
divisions,  with  a  manager  assigned  to  each  division.  All 
employees  have  timecards  except  the  golf  course  manager  and 
the  assistant  manager,  who  receive  salaries.  The  timecards 
are  generic  and  are  purchased  by  the  NAFI  through  supply 
channels.  The  timecards  are  filled  out  with  employees'  names 
and  social  security  numbers  by  the  payroll  clerk  and  are 
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placed  into  a  rack  inside  the  administrative  office  in  clear 
view  of  the  administrative  personnel.  Employees  use  the  same 
timecard  for  a  period  of  two  weeks,  after  which  new  timecards 
are  prepared  by  the  payroll  clerk.  Division  managers  are 
responsible  to  monitor  attendance  of  personnel  assigned  to 
them  and  ensure  that  absenteeism  is  reported  to  the  payroll 
clerk. 

Employees  punch-in  and  punch-out  by  use  of  an  ordinary 
mechanical  time  clock  which  is  also  located  in  the 
administrative  office.  The  time  clock  and  timecards  are  in 
view  of  the  manager  as  well  as  the  administrative  personnel 
occupying  the  office. 

At  the  end  of  the  two  week  pay  period,  the  payroll 
clerk  collects  the  time  cards  and  counts  them  to  ensure  that 
the  number  of  timecards  is  egual  to  the  number  of  employees 
currently  on  the  payroll.  Times  recorded  on  the  timecards  are 
then  transcribed,  by  hand,  to  the  Nonappropriated  Funds  Time 
and  Attendance  Report  (DA  Form  4850)  for  each  employee.  This 
report  includes  all  hours  worked,  overtime,  annual  leave,  and 
sick  leave  taken  during  the  reporting  period.  The  employee  is 
identified  on  the  form  by  use  of  an  employee  identification 
number  which  is  the  same  as  the  individual's  social  security 
number.  An  example  of  this  form  is  included  in  the  Appendix. 
The  DA  Form  4850  is  then  signed  by  the  manager  or  assistant 
manager  certifying  that  all  time  worked  and  leave  taken  for 
the  period  is  correct  as  reported.  This  signature  also  serves 
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as  the  authority  to  grant  entitlement  to  the  employee  for 
wages  earned.   [Ref.  10:p.  30] 

The  time  and  attendance  report  is  completed  in 
triplicate  for  each  employee  and  the  three  copies  are 
distributed,  with  one  going  to  the  Resource  Management 
Division  (RMD) ,  one  to  the  CAO,  and  one  copy  held  on  file. 
The  DA  Forms  4850  are  transmitted  to  the  CAO  by  mail  along 
with  a  Nonappropriated  Fund  Document  Transmittal  Form  (DA  Form 
4853)  with  a  count  of  enclosed  payroll  documents  to  ensure  all 
personnel  are  paid.  The  CAO  uses  the  information  on  the  DA 
Form  4850  to  prepare  the  paychecks  which  are  sent  to  the  RMD. 
RMD  delivers  the  NAFI  checks  to  the  payroll  clerk,  who  ensures 
that  they  are  all  present.  The  payroll  clerk  is  then 
responsible  for  providing  payroll  checks  to  the  employees  on 
payday.  Supervisors  pick  up  checks  for  their  division  and  are 
responsible  for  individual  delivery  to  division  personnel. 
Undelivered  payroll  checks  are  returned  to  the  payroll  clerk 
who  stores  them  in  the  safe  until  delivery  can  be  made.  If  an 
individual  has  terminated  employment  and  a  check  has  been 
received,  that  check  is  returned  to  RMD  by  the  payroll  clerk 
for  cancellation  through  the  CAO. 

All  hiring  is  administrated  by  the  Civilian  Personnel 
Office.  When  vacancies  occur  in  staffing,  openings  are 
advertised  and  filled  through  the  personnel  office  which  is 
responsible  for  maintaining  personnel  records  and  establishing 
individual  pay  accounts  with  the  CAO.   This  work  is  outside 
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the  area  of  responsibility  and  control  for  the  NAFI  and  is  not 
a  consideration  in  this  study. 

Examples  of  DA  Forms  4850,  and  4853  are  included  in 
the  Appendix. 

2 .  Flowchart 

The  payroll  cycle  flowchart  is  presented  in 
Figure  3-3. 

3.  Payroll  Control  Questionnaire 

The  following  guestions  address  the  controls  that  Army 
regulations  state  should  be  in  effect  for  the  NAFI  payroll 
cycle.  Specific  responses  to  these  guestions  are  discussed  in 
Chapter  V. 

YES    NO    NA 

1.  ARE  TIMECARDS  VERIFIED  BY  EMPLOYEES'        (   )  (   )  (   ) 
SUPERVISORS  FOR  ACCURATE  TIME  AND 

ATTENDANCE? 

2.  ARE  ALL  DUTIES  OF  POSITIONS  DESCRIBED      (   )  (   )  (   ) 
AND  AUTHENTICATED  BY  THE  APPROPRIATE 

SUPERVISOR  AND  RECORDED  ON 
DA  FORM  34  35-R? 

3.  IS  TIME,  ATTENDANCE,  AND  LEAVE  OF  ()()() 
EACH  NAF  EMPLOYEE  MAINTAINED  ON 

DA  FORM  4850  AND  DA  FORM  4850-1-R? 

4.  ARE  ENOUGH  BLANK  DA  FORM  4850 'S  KEPT       (   )  (   )  (   ) 
ON  HAND  SO  THAT  THERE  ARE  ENOUGH 

FOR  A  FULL  PAY  PERIOD? 

5.  IS  COPY  THREE  OF  COMPLETED  (   )  (   )  (   ) 
DA  FORM  4850  RETAINED  AS  A  FILE 

RECORD? 

6.  ARE  ALL  DA  FORMS  4850  AND  DA  FORMS  (   )  (   )  (   ) 
4850-1-R  AUTHENTICATED  BY  THE  NAFI 

MANAGER  OR  DESIGNATED  REPRESENTATIVE? 
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Figure  3-3:   Payroll  Cycle  Flowchart 
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Figure    3-3    continued. 
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YES    NO    NA 

7.  ARE  ALL  CORRESPONDING  DA  FORMS  4850         (   )  (   )  (   ) 
AND  DA  FORMS  4850-1-R  SIGNED  BY 

THE  SAME  PERSON? 

8.  ARE  ALL  DA  FORMS  4850  AND  4850-1-R         (   )  (   )  (   ) 
TRANSMITTED  USING  DA  FORM  4853-R? 

9.  DOES  AN  AUTHORIZED  PERSON  REVIEW  FOR       (   )  (   )  (   ) 
ACCURACY,  COMPLETENESS,  CORRECTION 

OF  ERRORS,  AND  PROPER  INITIALS  ON 
ALL  CORRECTIONS,  AND  PROPER 
SIGNATURE  BEFORE  SUBMISSION  OF 
DA  FORMS  4850  AND  4850-1? 

10.  DOES  THE  NAFI  MANAGER  OR  SUPERVISOR         (   )  (   )  (   ) 
HAVE  POSITIVE  MEASURES  TO  ENSURE 

SUBMISSION  OF  DA  FORMS  4850  AND 
4850-1-R  FOR  EACH  EMPLOYEE  WITH 
HOURS  TO  BE  REPORTED? 

11.  ARE  ALL  NECESSARY  CHANGES  MADE  TO  DA       ()()() 
FORMS  4850  AND  4850-1-R  PROPERLY 

ANNOTATED  ON  COPIES  TWO  AND  THREE, 
AND  SIGNED  BY  A  PERSON  WHO  HAS  A 
PROPER  DD  FORM  577  (SIGNATURE  CARD) 
ON  FILE  AT  THE  SERVICING  PAYROLL 
OFFICE? 

12.  IS  THE  PERSON  WHO  RECEIVES  PAYCHECKS       (   )  (   )  (   ) 
FOR  DISTRIBUTION  AUTHORIZED  IN 

WRITING  BY  THE  NAFI  MANAGER? 

13.  ARE  PROCEDURES  ESTABLISHED  FOR  THE  (   )  (   )  (   ) 
DISTRIBUTION  OF  PAYCHECKS  TO 

EMPLOYEES? 

14.  IS  THE  RECEIPT,  HANDLING  AND  (   )  (   )  (   ) 
DISTRIBUTION  OF  PAYCHECKS 

SEPARATED  FROM  THE  AUTHORIZATION 
AND  RECORDING  OF  PAYMENTS? 

15.  ARE  UNDELIVERED  PAYCHECKS  SECURED  (   )  (   )  (   ) 
IN  AN  APPROPRIATE  SAFE  UNTIL 

DELIVERY  CAN  BE  MADE? 

16.  ARE  TIMECARDS  SAFEGUARDED  TO  PREVENT        (   )  (   )  (   ) 
EMPLOYEES  FROM  CLOCKING  IN  FOR  ONE 

ANOTHER? 
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D.   INVENTORY  RECEIPT  AND  CONTROL  CYCLE 
1 .   Narrative  Description 

The  purchase  of  inventory  items  or  services  begins 
with  a  vendor  order  which  is  the  vendor's  estimate  of  cost  to 
the  NAFI  for  a  proposed  purchase.  The  vendor's  order  is 
followed  by  the  Army  NAF  Purchase  Request  (DA  Form  4065-R) . 
The  NAF  Purchase  Request  lists  items  to  be  purchased  or 
services  required  by  description,  quantity,  estimated  price, 
extended  price  and  estimated  shipping  charges.  The  purchase 
request  also  contains  any  special  instructions  which  may  be 
important  to  the  purchase,  such  as  manufacturer  for  name  brand 
or  manufacturer-specific  orders.  The  capability  to  specify 
name  brand  items  is  considered  essential  for  the  success  of 
retail  sales  in  the  pro  shop.  The  purchase  request  is  signed 
by  the  NAFI  manager  and  is  forwarded  to  RMD,  which  has  final 
approval  authority  for  the  NAFI.  The  RMD  controls  all 
nonappropriated  fund  expenditures  for  the  NAFI  through  the 
NAFI  fund  manager,  who  is  located  at  the  RMD. 

The  request  is  then  forwarded  to  procurement 
specialists  at  RMD,  who  are  responsible  for  contracting 
requirements  and  proper  procurement  procedures.  A 
procurement  specialist  prepares  the  actual  purchase  order  and 
supplies  a  copy  of  it  along  with  a  copy  of  the  Purchase 
Request  to  the  NAFI  for  record  purposes.  When  items  are 
received,  the  shipping  document  is  compared  to  the  purchase 
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order  by  the  NAFI  receiving  clerk.  The  receiving  clerk 
inspects  the  shipped  items  to  ensure  that  guantities, 
specifications  and  condition  at  delivery  are  satisfactory. 
The  receiving  clerk  completes  the  Material  Inspection  and 
Receiving  Report  (DD  Form  250),  noting  any  discrepancies  which 
exist.  The  receiving  report  is  reviewed  by  the  NAFI  manager 
and  signed  as  final  acceptance  authority.  Receiving  reports 
and  shipping  documents  are  then  sent  to  the  Central  Accounting 
Office  for  payment  to  the  vendor.  Copies  of  the  NAF  Purchase 
Reguest,  purchase  order,  shipping  document,  and  receiving 
report  are  maintained  by  the  NAFI  receiving  clerk  on  file  for 
one  year. 

Appropriate  divisions  are  notified  of  deliveries  and 
items  are  transferred  to  division  control  for  storage  and 
safeguarding  until  sale  or  use. 

Examples  of  DA  Form  4065-R  and  DD  form  250  are 
presented  in  the  Appendix. 
2 .   Flowchart 

The  inventory  receipt  and  control  flowchart  is 
presented  in  Figure  3-4. 
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Figure  3-4:   Inventory  Receipt  and  Control  Flowchart 
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Figure  3-4  continued. 


42 


3 .   Inventory  Receipt  and  Control  Questionnaire 

The  following  questions  address  the  controls  that  Army 
regulations  state  should  be  in  effect  in  a  NAFI  for  this 
transaction  cycle.  Specific  responses  to  these  questions  are 
discussed  in  Chapter  V. 

YES    NO    NA 

1.  ARE  PROCEDURES  ESTABLISHED  TO  ENSURE       (   )  (   )  (   ) 
THAT  ALL  PURCHASE  REQUESTS  HAVE  PROPER 

APPROVAL  SIGNATURES  PRIOR  TO 
SUBMISSION  FOR  APPROVAL? 

2.  ARE  PURCHASE  ORDERS  RECONCILED  TO  ()()() 
SHIPPING  INVOICES  TO  ENSURE   THAT 

QUANTITIES  AND  QUALITIES  RECEIVED 
CONFORM  WITH  THOSE  ORDERED? 

3.  ARE  ALL  RECEIPTS  OF  GOODS  AND  SERVICES     (   )  (   )  (   ) 
RECORDED  ON  A  MATERIAL  INSPECTION  AND 

RECEIVING  REPORT,  DD  FORM  250? 

4.  IS  ALL  MERCHANDISE  INSPECTED  FOR  DAMAGE    (   )  (   )  (   ) 
UPON  RECEIPT  WITH  DAMAGE  NOTED  ON  THE 

RECEIVING  REPORT? 

5.  ARE  RECEIVING  REPORTS  ROUTED  PROMPTLY      (   )  (   )  (   ) 
TO  TAKE  ADVANTAGE  OF  CASH  DISCOUNTS? 

6.  IS  RECEIVED  MERCHANDISE  PHYSICALLY  (   )  (   )  (   ) 
CONTROLLED  UPON  RECEIPT  UNTIL 

PROPERLY  STORED? 
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IV.   EVALUATING  THE  INTERNAL  CONTROL  SYSTEM 

A.   BACKGROUND 

1.   TESTS  OF  CONTROLS 

Having  gained   an   understanding  of   the   internal 

controls  present  in  the  NAFI ,  the  next  step  in  the  study  is  to 

test  these  controls  to  evaluate  the  extent  to  which  they  meet 

management  objectives  for  effectiveness.   Tests  of  controls 

typically  rely  on  four  technigues  to  examine  the  functioning 

of  the  internal  controls  [Ref.  9:p.  310]. 

Inguiries  of  appropriate  entity  personnel.  Although 
inguiry  is  not  generally  a  strong  source  of  evidence  about 
the  effective  operation  of  controls,  it  is  an  appropriate 
form  of  evidence.  For  example,  the  auditor  may  determine 
that  unauthorized  personnel  are  not  allowed  access  to. . . 
files  by  making  inguiries  of  the  person  who  controls  the 
. . . library. 

Inspection  of  documents,  records,  and  reports.  Many 
related  activities  and  procedures  leave  a  clear  trail  of 
documentary  evidence.  ...  The  auditor  examines  the 
documents  to  make  sure  they  are  complete  and  properly 
matched,  and  that  reguired  signatures  or  initials  are 
present. 

Observation.  Other  types  of  control-related  activities  do 
not  leave  an  evidential  trail.  ...  For  controls  that 
leave  no  documentary  evidence,  the  auditor  generally 
observes  them  being  applied. 

Reperformance.  There  are  also  control-related  activities 
for  which  there  are  related  documents  and  records,  but 
their  content  is  insufficient  for  the  auditor's  purpose  of 
assessing  whether  controls  are  operating  effectively.  ... 
In  these  cases,  it  is  common  for  the  auditor  to  actually 
reperform  the  control  activity  to  see  whether  the  proper 
results  were  obtained.  [Ref.  9:p.  310-312] 
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Combining  the  information  provided  by  the  internal 
control  questionnaires,  flowcharts,  and  narrative  descriptions 
with  the  information  from  the  four  techniques  listed  above 
allowed  for  identification  of  the  key  controls  which  are 
essential  to  the  effective  operation  of  the  internal  control 
system  in  general,  and  the  transaction  cycles  specifically. 
Key  controls  are  those  control  measures  which  have  the 
greatest  effect  on  the  achievement  of  control  objectives  [Ref . 
9:p.  307].  The  understanding  of  internal  controls  gained 
about  the  NAFI  is  confirmed  by  the  tests  of  controls  to  form 
the  basis  for  the  evaluation  of  the  overall  implemented 
internal  control  system.  Tests  of  controls  investigate  the 
key  controls  for  each  transaction  cycle  and,  through  a 
sampling  process,  methodically  examine  for  the  actual  presence 
and  effectiveness  of  the  internal  controls  to  prevent 
inadvertent  or  intentional  loss,  misuse,  or  waste  of  NAFI 
assets . 

2.   ATTRIBUTE  SAMPLING 

One  technique  which  is  applied  in  this  study  to 
facilitate  the  testing  of  controls  is  attribute  sampling.  To 
test  the  key  controls  of  the  transaction  cycles,  examination 
of  a  representative  sample  of  those  controls  is  sufficient. 
The  use  of  attribute  sampling  allows  the  evaluator  to  make 
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inferences  about  an  entire  population  of  transactions  without 
actually  testing  each  one  of  those  transactions. 

The  requirement  for  using  attribute  sampling  is, 
first,  that  the  attribute  being  sampled  be  reducible  to  a 
simple  binary  expression.  This  requires  that  the 
characteristic  can  be  thought  of  in  terms  of  a  "yes/no"  or 
"1/0"  model  indicating  presence  or  absence  of  the  attribute. 
An  example  would  be  the  presence  or  absence  of  an  authorizing 
signature  on  a  time  and  attendance  card.  The  population  must 
also  be  identifiable  and  accessible  to  the  evaluator.  This 
depends  on  management  providing  the  necessary  access  to  files 
and  documents  for  evaluation  of  the  attribute.  The  population 
must  have  a  finite  means  of  identifying  individual  population 
items  so  that  a  sample  can  be  chosen  by  a  random  or  systematic 
selection  process.  By  means  of  statistical  processes,  the 
sample  size  required  to  make  inferences  about  the  population 
in  question  can  be  determined  [Ref.  9:p.  424]. 

In  tests  of  internal  control,  the  attribute  of 
interest  is  usually  defined  as  a  failure  of  a  control  to  work 
effectively,  or  a  control  deviation.  Examining  the  required 
sample  for  this  attribute  and  identifying  the  rate  of  its 
occurrence  in  the  sample  permits  a  statistical  estimate  of  its 
rate  of  occurrence  in  the  entire  population.  Through  the  use 
of  attribute  sampling  tables  [Ref.  9:p.  428],  the  sample 
deviation  rate  can  be  converted  to  a  population  deviation  rate 
at  the  desired  risk  level  that  the  evaluator  is  willing  to 
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accept  for  relying  on  the  sample  data.  The  advantage  of  this 
approach  is  that  time  and  effort  are  saved  by  reducing  the 
number  of  actual  documents  or  population  items  which  have  to 
be  examined  to  achieve  a  valid  representation  of  the 
population  under  study  [Ref.  ll:p.  727-732].  Tests  of  the 
three  transaction  cycles  follow,  with  a  description  of  the 
procedural  steps  employed. 

B.   TESTS  OF  CASH  RECEIPTS  AND  CONTROL 

To  test  the  cash  receipts  and  control  cycle  the  key 
controls  were  identified,  the  attributes  which  would  represent 
the  presence  or  absence  of  the  control  were  defined,  and  the 
sampling  unit  reguired  for  examination  was  established.  The 
sampling  unit  is  simply  the  document  or  physical  evidence 
which  provides  the  information  concerning  the  attribute  in 
guestion.  The  key  controls,  related  attributes,  and  sampling 
unit  for  the  cash  receipts  and  control  cycle  are  as  follows: 


Key  Control 

Receipt  of 
change  fund 

Total  cash 
count 

Manager's 
receipt  of  cash 


4.  Complete 

documentation 


Sampling  Unit 

Daily  Cashier's 
Record 

Daily  Cashier's 
Record 

Daily  Cashier's 
Record 


Daily  Activity 
Report 


Attribute 

Cashier's 
signature 

Cashier's 
signature 

Manager's 
or  other 
authorized 
signature 

Reguired 

documentation 

present 
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The  Daily  Cashier's  Records  and  Daily  Activity  Reports  for 
the  NAFI  are  maintained  for  90  days  and  are  filed  by  date. 
The  Daily  Cashier's  Reports  are  attached  to  the  copy  of  the 
Daily  Activity  Report.  There  is  no  set  number  of  Daily 
Cashier's  Reports  for  any  given  day.  Rather,  it  is  a  function 
of  the  total  number  of  cash  registers  opened  on  a  given  day. 
To  define  the  population,  Julian  dates  were  assigned  to  each 
of  the  Daily  Activity  Reports  for  the  period  of  December  1991 
through  February  1992.  This  resulted  in  a  population  which 
was  identifiable  by  discreet  integers  from  335  through  365  and 
one  through  60.  For  attributes  which  had  a  sampling  unit  of 
the  Daily  Cashier's  Record,  an  associated  Daily  Activity 
Report  was  identified  by  random  sampling  and  the  attached 
Daily  Cashier's  Reports  were  tested. 

Sample  size  was  established  by  arbitrarily  specifying  the 
deviation  rate  which  the  evaluator  would  allow  in  the 
population  and  still  consider  the  control  to  be  effective 
[Ref.  9:  p.  422].  For  attributes  1,  3,  and  4  above,  the 
tolerable  deviation  rate  (TDR)  was  established  at  10  percent; 
and  for  attribute  3,  TDR  was  set  at  5  percent. 

The  next  step  was  to  specify  the  acceptable  risk  of 
overreliance  (ARO),  which  is  the  risk  the  evaluator  is  willing 
to  accept  that  the  sample  data  and  resulting  inferences 
misstate  the  actual  population  deviation  characteristics 
[Ref.  9:p.  422].  The  ARO  was  set  at  10  percent  for  attributes 
1 ,  2 ,  and  4 ,  and  was  set  at  5  percent  for  attribute  3 .  Lower 
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risk  and  tolerable  deviation  levels  were  used  for  attribute  3 
because  of  the  greater  importance  of  this  control  relative  to 
the  other  attributes  being  tested. 

The  last  entering  argument  for  determining  sample  size  was 
the  estimation  of  the  population  deviation  rate  (EPDR).  EPDR 
is  the  evaluator's  advance  estimate  of  the  percentage  of 
deviations  in  the  population  [Ref.  9: p.  423].  Through  random 
observation  of  the  use  of  the  Daily  Cashier's  Records  and 
Daily  Activity  Reports,  EPDR  was  set  at  zero  for  attributes 
1 ,  2 ,  and  3  and  at  2  percent  for  attribute  4 . 

Utilizing  an  attribute  sampling  table  [Ref.  9:p.  425], 
sample  sizes  were  determined  for  the  attributes  of  the  cash 
receipt  and  control  cycle.  Attributes  1  and  2  resulted  in 
sample  sizes  of  18  and  attribute  3  resulted  in  a  sample  size 
of  36.  For  these  three  attributes  the  actual  sampling  unit 
was  the  Daily  Cashier's  Record.  The  samples  of  18,  18,  and  27 
were  selected  from  the  Daily  Activity  Reports,  and  all  of  the 
attached  Daily  Cashier's  Records  were  tested  for  the 
respective  attribute.  The  samples  thus  became  18,  18,  and  27 
individual  days'  Cashier's  Records.  This  resulted  in  91  Daily 
Cashier's  Records  for  attribute  1,  100  Daily  Cashier's  Records 
for  attribute  2,  and  191  Daily  Cashier's  Records  for  attribute 
3.  Statistically,  a  much  larger  then  necessary  number  of 
documents  was  tested  for  these  attributes,  but  selection  of 
the  Daily  Cashier's  Records  was  simplified  by  association  with 
the  related  Daily  Activity  Reports.   Attribute  4  resulted  in 
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a  sample  size  of  27,  which  only  required  sampling  of  the  Daily 
Activity  Report.  The  finite  population  correction  factor  was 
applied  to  achieve  the  final  result  for  each  attribute,  to 
allow  for  the  relatively  large  percentage  of  a  small 
population  being  tested  [Ref.  9:p.  426]. 

Samples  were  selected  using  a  random  number  chart  of  2,500 
four-digit  random  numbers  [Ref.  12 :p.  589-593].  The  selection 
was  based  on  the  last  three  digits  in  the  random  numbers  and 
the  start  point  was  established  by  the  "blind-stab"  method. 
Once  the  appropriate  quantity  of  random  numbers  was  generated 
for  attribute  1,  calendar  dates  were  assigned  to  the  random 
Julian  date  equivalents,  and  those  Daily  Activity  Reports  were 
selected  and  the  attached  Daily  Cashier's  Records  were 
examined  for  deviations.  This  selection  process  was  repeated 
for  each  of  the  other  three  attributes  providing  separate, 
distinct,  random  lists  for  each  characteristic.  Deviations 
were  recorded  and  totalled  for  each  attribute. 

Deviations  and  sample  size  information  were  combined  to 
convert  the  sample  deviation  results  into  inferences  about  the 
incidence  of  deviations  in  the  population.  A  second 
attributes  sampling  table  was  used  to  determine  a  computed 
upper  deviation  rate  (CUDR)  for  each  attribute.  CUDR  is  the 
highest  expected  percentage  deviation  rate  in  the  population, 
given  the  risk  of  overreliance  acceptable  to  the  evaluator. 
[Ref.  9:p.  427-429] 
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The  data  for  attributes  1  through  4  are  summarized  in  Table  1 


TABLE  1 
CASH  RECEIPT  AND  CONTROL  ATTRIBUTE  SAMPLING  DATA 


Attribute   Sample  Size   Deviations 


ARO 


CUDR 


TDR 


1 

91 

3 

10% 

7.37% 

10 

2 

100 

0 

10% 

2.30% 

10 

3 

191 

0 

5% 

1.60% 

5 

4 

27 

0 

10% 

8.24% 

10 

The  data  indicate  that,  for  the  selected  tolerable 
deviation  rate  and  the  selected  acceptable  risk  of 
overreliance,  that  the  populations  represented  by  attributes 
1  through  4  meet  the  reguirements  of  the  evaluation.  This  is 
necessarily  so  because  TDR  is  greater  than  CUDR  in  each  case. 
The  implication  is  that  the  greatest  deviation  expected  in  the 
population  is  less  than  the  deviation  that  is  acceptable  to 
the  evaluator. 

C.   TESTS  OF  PAYROLL  CYCLE  CONTROLS 

The  tests  of  the  payroll  cycle  for  the  NAFI  centered  on 
the  Time  and  Attendance  Report  (DA  Form  4850)  and  the 
Nonappropriated  Fund  Document  Transmittal  Form  (DA  Form  4853). 
Since  the  accounting  for  pay  and  preparation  of  checks  is  done 
by  the  CAO,  the  responsibility  of  the  NAFI  is  concentrated  on 
the  preparation  and  timely  submission  of  the  Time  and 
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Attendance  Forms.    The  key  controls,  related  attributes,  and 
sampling  unit  for  the  payroll  cycle  are  as  follows: 


Key  Control 

1.  Authorization 
of  pay 


2 .  Complete 

Documentation 


Sampling  Unit 

Time  and  Attendance 
Report 


Transmittal 
document 


Attribute 

Manager's 
or 

Assistant's 
signature 

Reguired 

documentation 

present 


The  time  and  attendance  reports  and  the  transmittal 
documents  are  retained  at  the  NAFI  for  two  past  pay  periods. 
Since  60  personnel  are  employed  at  the  NAFI,  this  provided  a 
population  of  120  to  test.  The  most  important  control  was 
attribute  1  which  is  the  authorization  for  each  individual  to 
receive  pay  for  the  hours  which  they  worked.  This 
authorization  establishes  the  entitlement  of  employees  to 
wages.  The  time  and  attendance  reports  are  identifiable  only 
by  names  or  social  security  numbers  of  the  individual 
employees.  This  made  identification  of  population  individuals 
difficult  and  complicated  the  method  for  selecting  a  random 
sample  of  population  members.  To  circumvent  this  difficulty, 
the  decision  was  made  to  examine  the  entire  population  given 
that  the  total  population  of  120  individuals  was  relatively 
easy  to  test. 

Testing  for  attribute  1  resulted  in  no  deviations.  The 
population  was  first  counted  to  ensure  there  were  no  missing 


52 


documents,  given  an  employee  count  received  from  the  manager. 
Specimen  signatures  were  received  from  the  manager  and 
assistant  manager  and  comparisons  were  made  to  the  time  and 
attendance  reports.  The  manager  had  signed  all  reports  in  the 
previous  two  pay  periods. 

Attribute  2  required  the  time  and  attendance  reports  and 
the  transmittal  documents  to  be  present  to  support 
documentation  requirements.  The  transmittal  documents  for 
both  previous  pay  periods  were  present  along  with  the 
associated  time  and  attendance  reports. 

D.   TESTS  OF  INVENTORY  RECEIPT  AND  CONTROL 

The  key  controls  in  the  inventory  receipt  and  control 
cycle  focused  on  the  approval  of  purchase  requests,  receipt  of 
inventory,  and  documentation  of  the  ordering  and  receiving 
process.  The  key  controls,  related  attributes,  and  sampling 
units  for  the  cycle  are  these: 


Key  Control 

1.  Purchase 
authorization 

2.  Received  inventory 
inspected 

3.  Complete 
Documentation 


Sampling  Unit 

NAF  Purchase 
Request 

Receiving 
Report 

Purchase  Order 


Attribute 

Manager's 
signature 

Manager's 
signature 

Required 

documents 

present 


The  documentation  for  inventory  receipt  and  control  is 
filed  by  the  NAFI  in  alphabetical  order  by  vendor  name  and  is 
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held  for  one  year.  The  filed  documents  represent  the  orders 
that  have  been  filled  and  for  which  purchase  orders  and 
receiving  reports  should  exist.  Copies  of  outstanding 
purchase  requests,  not  yet  filled,  are  maintained  in  a  binder 
by  the  receiving  clerk  in  alphabetical  order.  The  entire 
population  of  outstanding  requests  were  tested  for  attribute 
1  with  no  deviations. 

Since  there  was  no  readily  unique  identification  for  the 
filed  population  of  filled  orders,  a  count  was  made  to 
establish  a  base  for  the  sample  starting  point.  Five  hundred 
and  twenty-five  items  were  identified  in  the  population. 
Systematic  sampling  was  selected  as  a  sampling  technique, 
which  requires  the  evaluator  to  determine  a  sampling  interval 
based  on  the  total  population  divided  by  the  sample  size  [Ref . 
11 :p.  736].  This  interval  establishes  which  documents  to 
select  for  testing.  The  starting  point  of  the  selection 
process  is  the  result  of  a  random  number  selected  from  a 
random  number  table  using  a  "blind-stab"  technique.  Sample 
size  is  determined  by  selecting  a  desired  ARO,  TDR,  and  EPDR 
and  entering  the  appropriate  attributes  sampling  table  [Ref. 
9: p.  422-423].  The  finite  population  correction  factor  was 
then  applied  to  determine  the  minimum  required  sample  size  for 
inference  to  the  population.  Attributes  1  and  2  required 
samples  of  53,  which  gave  an  interval  of  every  ninth  document 
(525/53).  The  starting  point  for  attribute  1  was  document 
number  6  and  the  starting  point  for  attribute  2  was  document 
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number  4.  Attribute  3  required  a  sample  of  47,  which  gave  an 
interval  of  every  eleventh  document,  and  the  random  starting 
point  was  document  number  1 .  The  test  data  for  attributes  one 
1  through  3  are  presented  in  Table  2 . 


TABLE  2 
INVENTORY  RECEIPT  AND  CONTROL  ATTRIBUTE  SAMPLING  DATA 


Attribute  Sample  Size  Deviations  ARO  CUDR  TDR 

1  53             3  5%  14.3%  5% 

2  53             2  5%  11.7%  5% 

3  47             3  10%  13.4%  10% 


The  test  results  for  inventory  receipt  and  control 
indicate  that  the  controls  are  not  effective  in  achieving  the 
objectives  of  the  key  controls.  In  all  three  cases  the 
computed  upper  deviation  rate  far  exceeds  the  tolerable 
deviation  rate  established  for  the  attributes.  This  lack  of 
effective  internal  control  should  suggest  to  management  that 
greater  emphasis  needs  to  be  placed  on  this  area  to  strengthen 
controls  which  could  prevent  inadvertent  or  intentional  loss 
in  inventory  receipt  and  control. 

For  attribute  1 ,  the  three  deviations  consisted  of  three 
missing  NAF  Purchase  Requests.  So,  no  approval  signature 
could  be  found  for  those  purchases.  Attribute  2  was  the 
signature  of  the  manager  on  the  receiving  report.  Two 
deviations  were  found.  One  was  a  missing  receiving  report, 
which  was  considered  a  deviation.   The  second  deviation  was 
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the  lack  of  a  signature  on  the  receiving  report.  The  test  for 
the  third  attribute,  complete  documentation  of  the  cycle,  had 
three  sample  deviations  present.  Two  of  these  deviations  were 
for  missing  receiving  reports  and  the  third  deviation  was  for 
a  missing  NAF  Purchase  Request.  The  numbers  of  missing 
documents  in  the  samples  for  all  three  attributes  are  evidence 
of  the  ineffectiveness  of  internal  control  in  the  area  of 
complete  documentation. 

These  deviations  and  their  possible  implications  identify 
for  management  areas  of  opportunity  for  internal  control 
system  improvement.  By  utilizing  information  gained  in  the 
testing  and  evaluation  phase,  specific  recommendations  and 
conclusions  for  the  cycles  under  study  are  drawn  and  are 
presented  in  Chapter  V. 
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V.    ANALYSIS,  CONCLUSIONS,  AND  RECOMMENDATIONS 

A.  INTRODUCTION 

The  entire  process  of  investigating  and  understanding  the 
internal  controls  for  the  Fort  Ord  Golf  Course  has  required 
the  use  of  observation,  interviews,  operational  manuals  and 
regulations,  and  diagnostic  tools.  The  tools  that  were 
utilized  in  the  review  were  narrative  descriptions, 
flowcharts,  and  internal  control  questionnaires.  Use  of  these 
tools  and  the  results  of  tests  of  controls  provided  a  full 
understanding  of  the  internal  controls  for  the  desired 
transaction  cycles.  The  previous  chapters  have  developed  the 
principles  and  background  for  internal  controls  and  have 
described  investigative  techniques  to  gain  an  understanding  of 
the  internal  control  structure  as  implemented  by  the  golf 
course  management.  With  the  body  of  information  gathered,  an 
analysis  of  internal  control  effectiveness  can  be  made  for  the 
transaction  cycles  examined  in  the  study. 

B.  CASH  RECEIPTS  AND  CONTROL  ANALYSIS 

The  cash  receipts  and  control  transaction  cycle  is 
well  documented  and  effectively  controlled.  Each  phase  of  the 
process  from  receipt  of  the  change  fund  by  the  cashier  to  the 
deposit  of  the  cash  receipts  is  monitored  and  supervised  to 
prevent  loss  or  theft.   The  control  questionnaire,  located  in 


57 


section  B.3  of  Chapter  III,  was  answered  in  the  affirmative 
for  all  questions  except  14  and  27.  Question  14  was  not 
applicable  because  the  NAFI  does  not  maintain  accounts 
receivable  and  does  not  receive  payments  by  mail.  Number  27 
was  answered  in  the  negative,  which  implies  a  weakness  in  this 
area.  The  weakness  uncovered  by  question  27  is  the  failure  of 
management  to  authorize  in  writing  those  individuals  who  can 
close  cash  registers  and  receive  the  cash  balances  for  the 
business  day.  A  written  authorization  would  reduce  the  number 
of  individuals  with  the  responsibility  and  potential 
culpability  for  handling  these  monies  and  would  simplify  the 
chain  of  custody  for  inquiries  and  errors.  Observation 
showed  that  the  individuals  involved  in  the  cash  receipt 
transaction  cycles  were  knowledgeable  and  competent  in  their 
duties.  This  was  supported  by  the  attribute  sampling  results, 
which  revealed  very  few  errors  and  computed  upper  deviation 
rates  much  smaller  than  the  selected  tolerable  deviation 
rates.  Considering  the  importance  of  the  Daily  Activity 
Report  to  the  CAO,  these  results  are  reassuring.  The  results 
are  also  not  unexpected  because  the  Daily  Activity  Reports 
receive  scrutiny  on  a  continuous  basis  from  the  CAO,  which 
serves  as  an  external  reviewer  of  cash  receipts  and  control. 
Observation  did  uncover  one  inconsistency  in  cash  register 
operations.  The  error  concerned  a  failure  to  inform  a  manager 
of  an  overring  which  was  corrected  by  ringing  up  "no  sale"  for 
subsequent  transactions  to  cover  the  overring.   This  could  be 
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a  failure  to  adequately  train  an  individual  or,  more  likely, 
the  result  of  a  required  procedure  which  seemed  cumbersome  and 
inefficient  to  the  cashier.  Such  shortcuts  of  control  could 
lead  to  recriminations  against  the  cashier  if  a  surprise  cash 
count  is  taken  or  the  cashier  has  to  close  his/her  register 
while  a  cash  deficit  remains. 

Cash  receipts  are  likely  the  most  desirable  item  for  the 
employee  who  would  choose  to  be  dishonest.  The  NAFI  has 
adequate  internal  controls  to  prevent  loss  in  this  area  and 
the  controls  are  working  effectively. 

C.   PAYROLL  CYCLE  ANALYSIS 

The  NAFI  has  a  limited  but  important  role  to  play  in  the 
payroll  function.  The  key  area  for  this  transaction  cycle  is 
the  time  and  attendance  report,  which  is  the  basis  for 
employees  earnings.  All  internal  control  questions  from  the 
questionnaire  in  section  C.3  of  Chapter  III  were  answered  in 
the  affirmative,  with  the  exception  of  number  12.  This 
question  asks  about  the  presence  of  written  authorization  for 
the  distribution  of  paychecks  for  the  NAFI.  Although  the 
payroll  clerk  has  this  responsibility,  according  to  the 
manager  and  the  payroll  clerk,  it  is  not  written  in  internal 
control  documents  or  standard  operating  procedures. 

Tests  of  the  documentation  and  authorizing  signature  on 
the  time  and  attendance  reports  showed  no  deviations  and  is 
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considered  to  be  in  control.  Two  weaknesses,  however,  were 
observed  in  the  payroll  transaction  cycle. 

In  regard  to  separation  of  duties,  the  payroll  clerk  has 
the  responsibility  for  every  key  duty  except  the 
authorization  of  the  time  and  attendance  reports.  Her  duties 
include  preparing  timecards,  transferring  hours  to  the  time 
and  attendance  reports,  mailing  the  documents  to  the  CAO, 
receiving  the  paychecks  from  RMD,  distributing  the  paychecks, 
and  disposing  of  undelivered  checks.  These  responsibilities 
could  likely  be  divided  among  other  administrative  personnel 
to  reduce  the  responsibility  of  the  one  individual  for  the 
cycle  and  to  gain  greater  control  through  shared 
responsibility. 

A  second  area  of  weakness  observed  in  the  study  was  the 
distribution  of  paychecks.  Supervisors  receive  paychecks  for 
their  divisions  and  become  responsible  for  distribution  within 
their  divisions.  No  receipt  signature  is  obtained  from  the 
supervisor,  which  eliminates  a  traceable  chain  of  custody  for 
the  checks.  A  lost  or  undelivered  check  would  be  difficult  to 
track  because  of  the  broken  chain  of  custody. 

Payroll  controls  are  strong  in  the  area  of  authorizing 
wages  and  ensuring  all  employees  are  paid.  However,  areas  of 
custody  and  separation  of  duties  need  to  be  evaluated  as  to 
their  impact  on  the  internal  control  objectives  of  the  NAFI. 
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D.   INVENTORY  RECEIPT  AND  CONTROL  ANALYSIS 

The  inventory  receipt  and  control  cycle  encompasses  the 
entire  process  of  requesting  purchases  and  receiving  services 
and  inventory  for  resale  and  use.  Although  the  NAFI  is  not 
responsible  for  the  preparation  of  the  actual  purchase  order, 
management  is  responsible  for  the  purchase  request  which  is 
used  to  prepare  the  subsequent  purchase  order.  The  NAFI  also 
is  responsible  for  the  receipt  and  inspection  of  goods  and  for 
preparation  of  the  receiving  report,  which  is  submitted  to  the 
CAO  to  trigger  the  payment  of  vendor  invoices.  All  internal 
control  questions  were  answered  in  the  affirmative  for  the 
inventory  receipt  and  control  cycle,  though  weaknesses  in 
implementation  were  shown  by  the  testing  of  controls. 

Areas  of  weakness  appeared  in  all  tests  of  key  controls. 
Computed  deviation  rates  were  far  in  excess  of  tolerable 
rates.  This  leads  to  a  conclusion  that  controls  are 
ineffective  in  this  area.  The  greatest  and  most  consistent 
deviation  was  the  lack  of  documentation  for  the  attribute 
being  investigated.  This  was  exacerbated  by  the  condition  of 
the  files  for  inventory  receipt  and  control.  The  NAFI 
established  a  one  year  filing  period  for  the  documentation  in 
the  cycle,  but  the  files  contained  purchase  orders  and 
attached  documentation  for  three  years.  The  old  documents 
were  included  in  the  sampling  scheme  and  most  likely  were 
responsible  for  some  of  the  deviations,  although  deviation 
rates  by  years  were  not  computed.   Errors  or  deviations  from 
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several  years  back  may  not  be  germane  to  the  operation  for 
today,  though,  because  changes  of  personnel  and  minor  changes 
in  procedures  could  have  reduced  deviation  rates  in  more 
current  files.  Additional  testing  of  the  most  current  files 
would  be  necessary  to  substantiate  such  a  claim,  however.  The 
files  for  inventory  receipt  and  control  need  to  be  purged  and 
brought  up  to  date  in  accordance  with  the  one  year  retention 
plan. 

The  inventory  receipt  and  control  cycle  was  not  operating 
effectively  because  the  controls  were  not  being  implemented 
adequately.  Turnover  in  personnel  within  the  receiving  and 
purchasing  area  of  administration  contributed  to  this  problem 
and  current  procedures  appear  to  be  in  conformance  to  control 
objectives,  based  on  the  outstanding  purchase  requests.  This 
assumption  could  also  be  the  result  of  a  transaction  cycle 
which  is  controlled  in  the  early  stages,  but  which  is  not 
adequately  controlled  in  the  latter  stages.  A  second  review 
of  internal  controls  for  this  area,  based  on  purged  files, 
would  be  necessary  to  assess  current  effectiveness. 

E .   RECOMMENDATIONS 

Recommendations  for  the  NAFI  follow  closely  the  conclusion 
and  analyses  that  were  presented  for  each  transection  cycle. 
Five  recommendations  are  offered  for  consideration  by 
management. 
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1.  Written  Authorization 

Less  verbal  authorization  and  more  written 
authorization  is  recommended  in  areas  where  transfer,  receipt, 
and  control  of  assets  is  required.  The  authority  to  close  and 
receive  cash  receipts  or  the  authority  to  disburse  paychecks 
are  examples  where  written  authorization  is  appropriate. 
These  measures  assign  responsibility  to  individuals  designated 
by  authority  and  prevent  access  by  others. 

2.  Separation  of  Key  Duties 

The  area  of  payroll  places  virtually  all  key  duties 
except  authorization  in  the  control  of  one  individual.  This 
not  only  places  a  burden  on  that  individual  but  also  places 
management  in  a  position  of  reduced  control  of  the  transaction 
cycle.  No  suggestion  is  made  that  a  trusted  employee  is  not 
honest,  but  it  is  in  the  best  interest  of  management  to  reduce 
areas  which  could  be  subject  to  errors  or  fraud  brought  about 
by  weaknesses  within  the  system. 

3.  Establish  Chain  of  Custody 

The  NAFI  management  would  benefit  in  meeting  internal 
control  objectives  by  ensuring  that  assets  which  are  subject 
to  transfer  or  use  are  traceable  through  a  chain  of  custody. 
The  distribution  of  paychecks  is  an  area  for  application  of 
this  measure.  A  chain  of  custody  which  requires  a  signature 
for  transfer  of  responsibility  protects  against  fraud  and  also 
aids  in  tracking  an  asset  which  is  lost  or  misplaced. 
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4.  Purges  Files 

Old  files  which  are  not  of  any  value  to  the  NAFI 
should  be  purged.  This  would  allow  for  a  more  efficient 
filing  system  that  could  be  managed  and  controlled  through  use 
of  implemented  internal  procedures.  Purging  old  files  would 
also  facilitate  the  internal  reviews  performed  by 
the  NAFI  or  some  other  external  agency. 

5.  Cash  Register  Training 

In  view  of  incorrect  procedures  used  by  a  cashier  in 
a  very  small  observation  sample,  it  is  possible  that 
procedural  training  could  enhance  the  operation  of  the 
cashiers  and  ensure  closer  conformance  to  internal  control 
directives.  Failure  of  cashiers  to  understand  the  procedures 
of  internal  control  put  them  in  jeopardy  of  surprise  cash 
counts  and  cash  deficits.  The  danger  to  the  NAFI  is  that 
undetected  procedural  errors  could  degenerate  into 
intentional  acts  of  dishonesty  and  theft. 
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